Hi there,
We need to respond to the CERT multiple vendor zlib issue as a "vendor".
I've taken the liberty of preparing an advisory. It's probably better if
everyone who has a server or client and uses zlib to use the same
advisory. Trust me, as a security person I get about 40-80 of these a
day, and it's just easier if all the information is in the one place.
If you maintain a version of VNC that includes zlib in the viewer or
server, please get back to me if you are affected, and what plans you
have to go to zlib version 1.1.4 or the fixed version of zlib from
Redhat.
Andrew
Ps. The circumstances where this bug can be exploited are fairly low
likelihood.
--------------------------BEGIN INCLUDED TEXT--------------------
VNC Security Bulletin
Zlib double free issue
15 March 2002
Security Bulletin Summary
-------------------------
Topic: zlib double free may cause local exploit or
crash
Vendor: Multiple vendors
Product: TightVNC Xvnc, WinVNC
Tridia Xvnc, WinVNC
ChromiVNC
VNCThing
VNC Viewer for Java
VNC Viewer for Apple Newton
Operating System: VNC is portable across multiple vendors
including Linux, NetBSD, FreeBSD,
Solaris,
MacOS and all Win32 platforms
Impact: Potential root / LOCALSYSTEM compromise
Execute arbitrary code/commands
Access Required: Local, requires existing password
Version: The following programs link with or are
statically
linked with zlib and should be upgraded:
TightVNC 1.2.2 (both Xvnc and WinVNC)
TridiaVNC 1.5.4
ChromiVNC v3.4 alpha 5 for MacOS (68k
and PPC platforms)
VNCThing for MacOS X (and MacOS
platforms with Carbon)
VNC Viewer for Java
VNC Viewer and Server for Apple Newton
XXX: others?
Unknown at this time: Unix: IBM AIX 4.3.3 and 5L, "Toolbox for Linux
applications" (based
upon AT&T?)
XXX: others?
Not vulnerable: Unix: AT&T VNC 3.3.3r2 (current
version)
Windows: AT&T WinVNC 3.3.3r9 for
x86 (current version)
WinVNC 3.3.3r1 for Alpha
processors
AT&T WINVNC 3.3.3r2 beta
WinCE
Geos (Nokia 9000) VNCGEO10
OS/2: VNC Viewer for OS/2 PM
1.00
PalmOS: PalmVNC 1.40
RiscOS: !VNC (any version)
VMS: AT&T VNC VNC333R1VMS011
package
XXX: Others?
Fixed in:
None yet shipped
Abstract
========
There is a vulnerability in the decompression algorithm used by the
popular zlib compression library. If an attacker is able to pass a
specially-crafted block of invalid compressed data to a program that
includes zlib, the program's attempt to decompress the crafted data can
cause the zlib routines to corrupt the internal data structures
maintained by malloc.
Various VNC implementations use the affected versions of zlib. This
could lead to execution of arbitrary code under the privilege the user
of the client program utilizing gzip, which is generally the local user
in Unix (which may include root), and the local user or Administrator in
WinNT/2000/XP, or complete control of platforms without a security
architecture (MacOS, Win95 - WinME, WinCE, Newton, etc).
Technical Details
=================
CERT advisory:
http://online.securityfocus.com/advisories/3955
Solutions and Workarounds
=========================
Typically, Unix versions of affected VNC viewers utilize the zlib shared
library, libz.so. Upgrading zlib should remedy most users of Unix
platforms. However, the following versions have been statically linked
against zlib, and will require upgrading when new versions are
available:
TightVNC 1.2.2
A future version will be available shortly to correct this problem.
TridiaVNC 1.4.0
A future version will be available shortly to correct this problem.
Java viewers and servers rely on the Java Runtime Environment (JRE) and
the client browser being correct. To correct Java problems, please
review the appropriate advisories for Java or your browser for your
platform.
Thanks To
=========
Sites with VNC affected clients and servers
===========================================
Newton:
http://mywebpages.comcast.net/saweyer/newton/vnc.htm
Vendor responses
Revision History
================
2002-03-15 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
XXX: To be advised.
Copyright 2002, Andrew van der Stock et al. All Rights Reserved.
---------------------------------------------------------------------
To unsubscribe, mail [EMAIL PROTECTED] with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
